Bugzilla – Bug 56622
VUL-0: CVE-2004-0536: tripwire: format string bug
Last modified: 2021-10-04 08:59:57 UTC
Hi. A security vulnerability in tripwire code. (CAN: CAN-2004-0536) Reference: BUGTRAQ:20040602 Format String Vulnerability in Tripwire Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108627481507249&w=2 Reference: BUGTRAQ:20040603 Re: Format String Vulnerability in Tripwire Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108630983009228&w=2
<!-- SBZ_reproduce --> -
Created attachment 20708 [details] patchinfo-box.tripwire
Created attachment 20709 [details] patchinfo.tripwire
Tomas, what about an update?
Tomas, are you on vacation?
I have submitted fixed packages for 8.2, 9.0, SLES9 and STABLE on friday and I'll submit the others today and patchinfos as soon as the packages are checked in and rebuilt.
Please don't delay the patchinfo submission until the packages are checked in because I will only check in the packages when there is a patchinfo file...
I have checked releases prior to 8.2. We have Tripwire-1.2 there, a very old version, which is not affected. So I have submitted the box patchinfo only.
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Tue Jun 22 20:48:39 2004
will be reassigned for tracking...
packages approved
a customer reported that the old SEGV problems appears again. when creating policy files by using twadmin a segfault is triggered. unlink("tripwire-report-vZE5KC.txt") = 0 access("/var/lib/tripwire/report/serv4-20040629-092911.twr", F_OK) = -1 ENOENT (No such file or directory) lstat64("/var/lib/tripwire/report/serv4-20040629-092911.twr", 0xbfffd4a0) = -1 ENOENT (No such file or directory) open("/usr/share/locale/de_DE@euro/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/de@euro/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/de_DE/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/de/LC_MESSAGES/libc.mo", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=90059, ...}) = 0 old_mmap(NULL, 90059, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40203000 close(3) = 0 open("/usr/lib/gconv/ISO8859-1.so", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\6\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=6052, ...}) = 0 old_mmap(NULL, 8860, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4007f000 old_mmap(0x40081000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0x40081000 close(3) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- write(2, "Software interrupt forced exit: "..., 51Software interrupt forced exit: Segmentation Fault ) = 51 rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 getpid() = 25833 kill(25833, SIGABRT) = 0 --- SIGABRT (Aborted) @ 0 (0) --- write(2, " Abort\n", 7 Abort ) = 7 munmap(0x4007e000, 4096) = 0 munmap(0x4007d000, 4096) = 0 exit_group(8) = ?
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Tue Jun 29 18:12:11 2004
reopen
Are you sure you have reopend the very bug? Tripwire used to segfault on non-i386 archs - see bug 51050. I have tested tripwire from stable (=sles9) and twadmin did not segfault.
is the arch used in comment# 12 a non-i396 arch? i remember we solved the bug by compiling/linking tripwire with another binutils (???) package. maybe this was missing here... i dunno.
to be honest i have nothing against droping this package as long as we ship AIDE or alike.
That was bug 48440. See also comment #10 of that bug for comparation of AIDE and tripwire. I do not understand, what does the customer judge from this is 'the old SEGV problem' and not just another SEGV problem. Please, open a new bug and reclose this one as there seems to be no relation between the format string bug and the segfault. Add comment #15 and comment #16: I have tested on an i386 arch. I do not know, which arch does commend #12 come from. The information would come in handy.
If the customer is still using 8.2, you may be right it is the binutils problem, since IIRC we have never fixed binutils in 8.2. In bug 48440 Rudi built a package for the customer with binutils from stable (which I do not know what it was those days) and we need to do the same and we will need to do that whenever tripwire is rebuilt for 8.2 unitl 8.2 is dead or its binutils fixed (which is dangerous) - but I can not do that. Ask Rudi, pls.
ok
CVE-2004-0536: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)